Keylogger[.]Ardamax[.]zip[.]zip | Triage

Sharing

General

Target

Keylogger.Ardamax.zip.zip
Size

778KB
MD5

f91529dc4e52f9988067735bdc80d07f
SHA1

1cd59d1311e6dbbc7135d69841a13fa74ca2b07f
SHA256

63f0a08fb12e0d2499086709c24fdd9828c47c73b2611eedafbd3ee224f1de24
SHA512

e3952506b4abfe605b577c2e50a5832f1eebef32b30a271d2ed55595bc27ba0691101297ec043afd02107cb2641a53e45132884c9956d47279f5768f82e5e21a
SSDEEP

24576:VWl35JV6RDgiYYmvZCRXbg+JI0sVs8dzTP0zmM:klpKRD3Oa8+JIJ3IzmM

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

Processes:

resource
unpack002/ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18

Files

Keylogger.Ardamax.zip.zip
.zip

Password: infected
Keylogger.Ardamax.zip
.zip

Password: infected
ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18
.exe windows:5 windows x86 arch:x86

Password: infected

86632da30434ccfc050190a47fb559c4

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

msvcrt

__getmainargs
_initterm
__setusermatherr
_adjust_fdiv
_acmdln
__p__fmode
__set_app_type
_except_handler3
_controlfp
_XcptFilter
_exit
_onexit
__dllonexit
??1type_info@@UAE@XZ
calloc
exit
memcpy
memset
_itow
??2@YAPAXI@Z
_wcsdup
??3@YAXPAX@Z
free
__p__commode

kernel32

GetModuleHandleA
GetTempPathW
GetModuleHandleW
GetModuleFileNameW
CreateFileW
SetFilePointer
CloseHandle
GetTempFileNameW
FreeLibrary
DeleteFileW
WriteFile
ReadFile
LoadLibraryW
GetProcAddress
GetStartupInfoA

user32

MessageBoxW

Sections

.text
Size: 9KB - Virtual size: 9KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 928B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ